public inbox for [email protected]
help / color / mirror / Atom feedFrom: Dave Page <[email protected]>
To: Ashesh Vashi <[email protected]>
Cc: pgadmin-hackers <[email protected]>
Cc: Josh Berkus <[email protected]>
Cc: Devrim GÜNDÜZ <[email protected]>
Subject: Re: RM1849: Auto-generating security keys
Date: Fri, 14 Oct 2016 18:27:19 +0100
Message-ID: <CA+OCxozo4=FCjorfF8j4QH=p4iEa15Bp4P0bD5+Ch=aFY37ERg@mail.gmail.com> (raw)
In-Reply-To: <CAG7mmoyhJXXrLv+fgjmgd-Z5GFSaJfHTC89MWQ8LQX3Atw-04A@mail.gmail.com>
References: <CA+OCxownxfR2eDEaXNkgSdFqat6+AQgukrzcYOyoFX0V-zs_VA@mail.gmail.com>
<CAG7mmoyhJXXrLv+fgjmgd-Z5GFSaJfHTC89MWQ8LQX3Atw-04A@mail.gmail.com>
List-Unsubscribe: <mailto:[email protected]?body=unsub%20pgadmin-hackers>
Hi
On Thursday, October 13, 2016, Ashesh Vashi <[email protected]>
wrote:
> Hi Dave,
>
> On Tue, Oct 11, 2016 at 9:10 PM, Dave Page <[email protected]
> <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote:
>
>> Hi Ashesh,
>>
>> Can you please review the attached patch, and apply if you're happy with
>> it?
>>
> Overall the patch looked good to me.
> But - I encounter an issue in 'web' mode, which wont happen with 'runtime'.
>
> Steps for reproduction on existing pgAdmin 4 environment with 'web' mode.
> - Apply the patch
> - Start the pgAdmin4 application (stand alone application).
> - Open pgAdmin home page.
> - Log out (if already login).
>
> And, you will see an exception.
>
> I have figure out the issue with the patch.
> We were setting the SECURITY_PASSWORD_SALT, after initializing the
> Security object.
> Hence - it could not set the SECURITY_KEY, and SECURITY_PASSWORD_SALT
> properly.
>
Hmm.
>
> I had moved the Security object initialization after fetching these
> configurations from the database.
> I have attached a addon patch for the same.
>
OK, thanks.
>
> Now - I run into another issue.
> Because - the existing password was hashed using the old
> SECURITY_PASSWORD_SALT, I am no more able to login to pgAdmin 4.
>
> I think - we need to think about different strategy for upgrading the
> configuration file in the 'web' mode.
> I was thinking - we can store the existing security configurations in the
> database during upgrade process in 'web' mode.
>
My concern with that is that we'll likely be storing the default config
values in many cases, thus for those users, perpetuating the problem.
I guess what we need to do is re-encrypt the password during the upgrade -
however, that makes me think; we then have both the key and the encrypted
passwords in the same database which is clearly not a good idea. Sigh...
Needs more thought.
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
view thread (33+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: RM1849: Auto-generating security keys
In-Reply-To: <CA+OCxozo4=FCjorfF8j4QH=p4iEa15Bp4P0bD5+Ch=aFY37ERg@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox